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Due to resource constraints of the sensor nodes, traditional public key cryptographic techniques are not 
feasible in most sensor network architectures. Several symmetric key distribution mechanisms are proposed for 
establishing pairwise keys between sensor nodes in sensor networks, but most of them are not scalable and also 
are not much suited for mobile sensor networks because they incur much communication as well as computational 
overheads. Moreover, these schemes are either vulnerable to a small number of compromised sensor nodes or 
involve expensive protocols for establishing keys. In this paper, we introduce a new scheme for establishing keys 
between sensor nodes with the help of additional high-end sensor nodes, called the auxiliary nodes. Our scheme 
provides unconditional security against sensor node captures and high network connectivity. In addition, our 
scheme requires minimal storage requirement for storing keys mainly due to only a single key before deployment 
in each node in the sensor network, supports efficiently addition of new nodes after initial deployment and also 
works for any deployment topology. 

Keywords: Mobile sensor networks; Heterogeneous sensor networks; Key management; Pairwise keys; Security. 



X 



1. Introduction 

In a sensor network, many small computing 
nodes are deployed for the purpose of sensing data 
and then transmitting the data to nearby base 
stations. Public-key cryptosystems are not suited 
in such networks because of resource limitations 
of the nodes and also due to the vulnerability 
of physical captures of the nodes by the enemy. 
The symmetric ciphers such as DES [17], AES [4], 
RC5 [16] are the viable options for encrypting se- 
cret data. However, setting up symmetric keys 
among communicating nodes remains a challeng- 
ing problem. A survey on sensor networks can be 
found in 

The topology of the network is in general dy- 
namic, because the connectivity among the sensor 
nodes may vary with time due to several factors 
such as node addition, node departure, and the 
possibility of having mobile nodes. In our case, 
we assume that the nodes are highly mobile. 

Pairwise key establishment between neighbor- 



ing sensor nodes in a sensor network is done by 
a protocol known as the bootstrapping protocol. 
A bootstrapping protocol usually involves several 
steps. In the key pre-distribution phase, each sen- 
sor node is loaded by a set of pre-distributed keys 
in its memory. This is done before deployment of 
the sensor nodes in a target field. After deploy- 
ment, a direct key establishment (shared key dis- 
covery) phase is performed by the nodes in order 
to establish direct pairwise keys between them. 
Two nodes u and v are called physical neighbors if 
they are within the communication ranges of one 
another. They are called key neighbors if they 
share one or more key(s) in their key rings 
and Ky. The nodes u and v can secretly and di- 
rectly communicate with one another if and only 
if they are both physical and key neighbors. In 
this case we call u and v direct neighbors. The 
path key establishment phase is an optional stage 
and, if executed, adds to the connectivity of the 
network. In this phase, a secure path is discov- 
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ered between two physical neighbors and a fresh 
pairwise key is sent securely along that path. 

The simplest solution is the use of a single mis- 
sion key for the entire network. In this case, 
each node is given the same mission key be- 
fore deployment in the network. After deploy- 
ment any two neighbor nodes can communicate 
among each other using this key. Unfortunately, 
the compromise of even a single node in a net- 
work would reveal the secret key and thus al- 
low decryption of all network traffic. SPINS [15^ 
is a protocol to provide pairwise key establish- 
ment using the base station as a KDC (key dis- 
tribution center). However, this protocol incurs 
huge communication overhead and it is also vul- 
nerable to single point failure. Several tech- 
niques [9] , [3] , [14] , [7] , [2] are proposed in the lit- 
erature in order to solve the bootstrapping prob- 
lem. These schemes are not much suitable for 
mobile sensor networks because the bootstrap- 
ping procedure involves considerable communica- 
tion and computational overheads and can not be 
repeated quite often. 

The key pre-distribution scheme [5] proposed 
for mobile heterogeneous wireless sensor net- 
works is an improvement of the Dong and 
Liu's scheme [6]. This scheme supports large- 
scale sensor networks and dynamic node addi- 
tion efficiently after initial deployment. In this 
scheme, each regular sensor node requires to store 
equal number of keying information as in other 
schemes |9I3I14I6| . 

In this paper, we propose a new key pre- 
distribution mechanism suitable for highly mobile 
sensor networks. Our scheme requires minimal 
storage requirement due to storing a single key 
in each sensor's memory. Security analysis and 
performance evaluation illustrate that our scheme 
provides better performance than existing proto- 
cols, in terms of network connectivity, key storage 
overhead and network resilience against node cap- 
ture attacks. Simulation results also demonstrate 
that our scheme is highly applicable for mobile 
wireless sensor networks. 

The rest of this paper is organized as follows. 
In Section 2, we briefly describe the Dong and 
Liu's scheme which can be applied for highly 
mobile sensor nodes. Section 3 introduces our 



proposed scheme. In Section 4, we give a detailed 
analysis of our scheme with respect to network 
connectivity, resilience against node captures and 
overheads required by a sensor node in order to 
establish pairwise keys with its neighbor nodes. 
We discuss the simulation results of our scheme in 
Section 5. Section 6 compares the performances 
of our scheme with the previous schemes. Finally, 
we conclude the paper in Section 7. 

2. Overview of the Dong and Liu's Scheme 

This scheme proposed by Dong and Liu ^ re- 
cently, does not depend on the sensors' location 
information and can be used for the sensor net- 
works with highly mobile sensor nodes. The main 
idea behind their approach is to deploy additional 
sensor nodes, called assisting nodes, to help the 
pairwise key establishment between sensor nodes 
in a sensor network. Thus, they will not be use- 
ful for secure node-to-node communication in the 
network. The sensor nodes which are not assist- 
ing nodes, called as the regular sensor nodes. 

In the key pre-distribution phase, before de- 
ployment, the base station generates a unique 
master key MK^ for every sensor node u which 
will be shared between u and the base station 
only. Every assisting node i will get preloaded 
with a hash value H{MKu\\i) for every regular 
sensor node u, where iJ is a one-way hash func- 
tion (for example, SHA-1 and "||" denotes 
the concatenation operation. If n is the number 
of regular sensor nodes in the network, it is thus 
assumed that each assisting node will store all n 
hash images. 

In the pairwise key establishment phase, after 
deployment, every regular sensor node first dis- 
covers the assisting nodes as well as other regular 
sensor nodes in its communication range. If a reg- 
ular sensor node u needs to establish a pairwise 
key with its neighbor regular sensor node v, it will 
send a request to its every neighbor assisting node 
i. The request message includes the IDs of u and 
V and will be protected by the key H{MKu\\i), 
which is already preloaded to the assisting node 
i. We note that, in this case, the assisting node 
acts as a KDC (key distribution center). After re- 
ceiving such a request from u, the assisting node 
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i will generate a reply to u. The assisting node 
i generates a random key R, makes two copies of 
it, one protected by H{MKu\\i) (for node u) and 
other protected by H{MKy\\i) (for node v) and 
finally sends these two protected copies to node 
u. Node u then gets R by decrypting the pro- 
tected R using the key H{MKu\\i) and forwards 
another protected copy of R to node v. Similarly, 
node V retrieves R by decrypting the protected R 
using the key H{MKy\\i). Thus, u will receive a 
random key from every neighbor assisting neigh- 
bor node. If R2, - ■ ■, Ri} be such a set of all 
these random keys, the final key between u and 
V is computed as fc„^„ = i?i© i?2© ■ ■ ■ (BRi- We 
note that as long as at least one random key is 
secure, this final key fc„^„ will be safe. 

It may be possible that a regular sensor node 
could not find any assisting sensor node in its 
neighborhood. In that case, the supplemental key 
establishment phase will be performed, where a 
regular sensor node may discover a set of assist- 
ing nodes with a certain number of hops in order 
establish a pairwise key with its neighbor node. 

This scheme guarantees high probability of es- 
tablishing keys between regular sensor nodes and 
provides better security compared to those for 
the EG scheme 0, the q-composite scheme [3], 
the random pairwise keys scheme [3] and the 
polynomial-pool based scheme |14j . The main 
drawback of this scheme is that it does not sup- 
port dynamic regular sensor node addition after 
initial deployment, which is considered as a very 
crucial issue in sensor networks. 

3. Our Proposed Scheme 

In this section, we describe the motivation 
behind development of our novel scheme. We 
then describe assumptions, notations and various 
phases of our scheme. 

3.1. Motivation 

Our scheme is motivated by the following con- 
siderations. In the Dong and Liu's scheme [6], 
it is necessary to store a large number of hash 
images of keys of the regular sensor nodes in 
each assisting node's memory. In particular, for 
a large-scale sensor network, an assisting node 



has thus to store huge number of hash values of 
keys of the regular sensor nodes. Moreover, the 
assisting nodes are only be used for pairwise key 
establishment purpose between regular sensor 
nodes and hence they do not helpful for secure 
node-to-node communication as well as authenti- 
cation in a sensor network. Thus, in case of node 
compromising they will not be helpful for secure 
communications . 

Though their scheme provides high network 
connectivity and much better resilience against 
node captures than the EG scheme [9], the 
g-composite scheme [5, the random pairwise 
keys scheme |5 and the polynomial-pool based 
scheme [13], it can not still guarantee perfect se- 
curity (i.e., unconditional security) against node 
captures even after enhancing their scheme by 
updating the keys for the regular sensor nodes in 
assisting nodes after key establishment. Thus, it 
introduces considerable computational overheads 
for the assisting sensor nodes in order to update 
those keys for better security. Another draw- 
back of their scheme is that it does not support 
dynamic regular sensor node addition after ini- 
tial deployment. Addition of new regular sensor 
nodes is extremely important for a sensor net- 
work, because sensor nodes may be compromised 
by an attacker or may be expired due to energy 
consumption, and as a result, we always expect 
to deploy some fresh nodes to join in the network 
in order to continue security services. 

To overcome the above aforementioned prob- 
lems, we propose a new key pre-distribution 
scheme suited for highly mobile sensor nodes. 
As in [5j, we make an assumption that a mobile 
node is aware of its physical movement. After 
each movement, a node will initiate a pairwise 
key establishment procedure in its new physical 
neighborhood. 

Our scheme has the following interesting prop- 
erties: 

• It provides high network connectivity. 

• It is unconditionally secure against node 
captures. This means that no matter how 
many nodes are compromised, an attacker 
will never compromise secret communica- 
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tions between non-compromised nodes in 
the network. 

• It requires minimal storage requirement for 
storing a single key in each node's memory. 

• It supports dynamic node addition effi- 
ciently after initial deployment. 

3.2. Assumptions 

We list the following basic assumptions as used 
in [8] for developing our protocol: 

• Al: We consider a wireless sensor network 
consisting of two types of sensors: a small 
number of High-end sensors (H-sensors) and 
a huge number of Low-end sensors (L- 
sensors). The H-sensors are equipped with 
high power batteries, large memory stor- 
ages and data processing capacities. They 
can execute relatively complicated numeri- 
cal operations. On the other hand, the L- 
sensors are inexpensive and extremely re- 
source constrainted (as in Each L- 
sensor has limited battery power, memory 
size, data processing capability and short 
radio transmission range. For example, the 
H-sensors can be PDAs and the L-sensors 
are the MICA2-D0T motes [13]. 

• A2: H-sensors are equipped with tamper 
resistant hardware. In practical applica- 
tions, it is true since only a small number of 
such nodes to be deployed in the network. 
Thus, all the keying information stored in 
each H-sensor will not be disclosed to an 
attacker even if he captures any H-sensor 
node in the network. 

• A3: Due to cost constraints, L-sensors are 
not equipped with tamper resistant hard- 
ware. We assume that an attacker can 
eavesdrop on all traffic, inject packets and 
reply old messages previously delivered. We 
further assume that if an attacker captures 
an L-sensor node, all the keying information 
it holds will also be compromised. 

• A4: After deployment, we assume that 
H-sensors will be static, whereas L-sensors 
are highly mobile nodes in the network. 



3.3. Notations 

Following is the convention we use to describe 
the protocol in this paper. 

• u ^ V : M refers to a message M sent from 
a node u to another node v. 

• idu ■ the unique identifier of a sensor node 
u, that is, a name of node u. 

• MKu : the master key of a sensor node u 
to be shared with the base station only. 

• SK : the special key shared by all the H- 
sensors and the base station. 

• ku.v- a shared secret key between nodes u 
and V. 

• Ek{M) : a message M encrypted using key 
k. 

• MACk (M) : a message authentication code 
(MAC) for the message M, under the key 
k. 

• PRFk{M) : output of a pseudo-random 
function (FRF) for the message Af, under 
the key k. 

• RNu ■ a random nonce generated by the 
sensor node u. Nonce is a one-time random 
bit-string, usually used to achieve freshness. 

• v4||i3 : data A concatenates with data B. 

3.4. Protocol Description 

The main idea behind our scheme is to de- 
ploy a small number of additional H-sensor nodes 
along with a large number of L-sensor nodes in 
the network, so that H-sensors can help in pair- 
wise key establishment procedure between sensor 
nodes. The L-sensor nodes are to be deployed 
randomly in a target field, whereas the H-sensor 
nodes will be deployed to their expected loca- 
tions. After deployment, sensor nodes will form 
multi-hop infrastructure-less wireless communi- 
cation between each other and finally communi- 
cate with the base station. The base station is 
most powerful node and it can be located either 
at the center or at a corner of the target field. Let 
m be the number of H-scnsor nodes and n the 
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number of L- sensor nodes where n >> m. For 
convenience, we call the H-sensors as the auxil- 
iary nodes because they will help for pairwise key 
establishment procedure and the L-sensors as the 
regular sensor nodes. Our protocol has the fol- 
lowing phases. 

3.4.1. Key Pre-Distribution Phase 

This phase is done in offline by a key setup 
server before deployment of the nodes in a target 
field. It consists of the following steps: 

• Step-1: For each auxiliary sensor node 
^45^, the setup server assigns a unique iden- 
tifier, say idASi- Similarly, for each regular 
sensor node u, the setup server also assigns 
a unique identifier, say id^. 

• Step-2: The setup server randomly gener- 
ates a special key SK which will be given to 
all the auxiliary sensor nodes and the base 
station. 

• Step-3: For each deployed regular sensor 
node It, the setup server randomly gener- 
ates a master key MK^ which will be shared 
with the base station only. This master key 
is computed using the special key SK and 
the identifier idu as MK^ — PRFsfc{idu), 
where PRF is a pseudo random function 
proposed by Goldreich et al. [TT| . 

• Step-4: Finally, the setup server loads (z) 
the identifier idASi ^-^^d [ii) the special key 
SK to the memory of each auxiliary sensor 
node ASi. Each regular sensor node u is 
loaded with the following information: (i) 
its own identifier id^ and (ii) its own master 
key MKu before deployment. 

3.4.2. Direct Key Establishment Phase 

In this phase, we consider the following two 
cases. 

Case 1: Key establishment between regu- 
lar sensor nodes 

After deployment of the nodes, every regu- 
lar sensor node discovers an auxiliary sensor 
node in its communication range. If a regu- 
lar sensor node u wants to establish a secret 



pairwise key with its neighbor regular sen- 
sor node V, node v will send a request to 
its auxiliary node. Let ASi be an auxiliary 
node discovered by the node v within its 
neighborhood. Then the auxiliary node ASi 
will generate a random key ku.vi create two 
protected copies of it, one for u and other 
for V, and send a reply containing these two 
protected copies of ku.v to node v. Upon re- 
ceiving such a reply from ASi, node v will 
retrieve ku^v and forward other copy to u. u 
will also retrieve ku.v Finally, u and v will 
store ku,v for their future secret communi- 
cations. 

This phase for establishing pairwise keys 
between u and v is summarized below: 

1. Node u generates a random nonce 
RNu and sends the following message 
to node v. 

u^v: {iduWRNu). 

2. Node V also generates a random nonce 
RNy and sends the following message 
to its auxiliary node ASi'. 

v^AS^ : T ={idu\\id,\\RNu\\RN^,) \\ 
MACmkAT). 

3. The auxiliary node ASi first com- 
putes the master key of v as MKy 
= PRFsxiidy) and then computes 
MACmkAT)- If the computed MAC 
and the received MAC are equal, v is 
considered as a legitimate node. If 
the authentication is successful, then 
only the auxiliary node ASi computes 
the master key of u as MKu = 
PRFsK{idu). Finally, the auxiliary 
node ASi generates a random key 
ku^v and sends two copies of it, one 
protected by MK^ (for node u) and 
another protected by MKy (for node 
v) to node v as follows: 

ASi V : [EmkA^u.v ® idu © 

RNu), EMKAku,v ® idv ® RNy)). 

4. Node V decrypts Emk^ {ku,v ® idv ® 
RNy) using its own master key MKy, 
retrieves ku^v using its own identifier 
and its own random nonce as fc„ „ = 
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{ku,v ® idy © RN^) ®{idy © RN^) and 
forwards other protected copy of fc„ ,„ 
to node u: 

V u : Emk^ {ku,v © idu © RN^). 

Similarly, after receiving the last message 
from V, u retrieves ku,v using its own master 
key MKu- The auxiliary sensor node ASi 
discards the computed master keys MK^ 
(for regular sensor node u) as well as MK^ 
(for regular sensor node v ) and the gener- 
ated key ku,v from its memory. The spe- 
cial key SK is secure, since the auxiliary 
nodes are equipped with tamper resistant 
hardware. Therefore, based on the secu- 
rity of the PRF function [11], even an at- 
tacker knows a master key of a captured 
regular sensor node, it is computationally 
infeasible to compute the special key SK . 
We note that each auxiliary node acts as a 
KDC. We also observe that the transaction 
between two nodes is uniquely determined 
by attaching the random nonce of a node in 
the message by another node. 

ase 2: Key establishment between aux- 
iliary nodes and regular sensor nodes 

In case, if a regular sensor node, say u wants 
to establish a pairwise key with its neighbor 
auxiliary node, say ASj, u simply sends a 
request message containing its own identi- 
fier idu to ASj . After receiving such request 
from the node m, ASj generates a random 
key ku,ASj- After that ASj computes the 
master key of u using the special key SK 
and the identifier idu of node u as MK^ = 
PRFsxi'idu), makes a protected copy of 
the generated random key as Emk^ {ku.ASj ) 
and sends this to node u. After receiving 
such a message, u decrypts this protected 
key using its own master key MKu- In this 
way, u and ASj will establish a pairwise 
key and store this key for secret communi- 
cations in future. The auxiliary sensor node 
ASj also discards the computed master key 
MKu for the node u from its memory. 



3.4.3. Supplemental Key Establishment 
Phase 

Though our later analysis in Section 4.1 shows 
that even for a small fraction of the auxiliary sen- 
sor nodes it is possible to achieve a high probabil- 
ity of establishing pairwise keys using our direct 
key establishment phase, it is still possible that a 
regular sensor node cannot find an auxiliary sen- 
sor node in its neighborhood because the accu- 
rate deployment of the auxiliary nodes in their ex- 
pected locations may not be guaranteed in some 
scenarios. In this situation, wc have the supple- 
mental key establishment phase. In this phase, a 
regular sensor node discovers an auxiliary sensor 
node that is no more than h hops away from itself. 
This can be also easily achieved by having u's 
neighbors to help collecting the id of an auxiliary 
node in their neighborhood. Once an auxiliary 
sensor node is discovered, the remaining steps are 
similar to the direct key establishment phase. We 
note that the discovery and usage of an auxiliary 
node using multiple hops introduces additional 
communication overhead. However, we will show 
in Section 4.1 that by using only one hop, it is 
sufficient to achieve a very high probability of es- 
tablishing pairwise keys between nodes. Also, the 
need for this phase will not likely be invoked fre- 
quently and hence we believe that this will not be 
a big problem. 

3.4.4. Dynamic Node Addition Phase 

Sometimes nodes may be faulty due to battery- 
energy consumption, malfunctioning, etc. or 
compromised by an attacker by capturing the 
nodes. Therefore, it is necessary to redeploy some 
new sensor nodes to replace those faulty or com- 
promised sensor nodes, or to deploy fresh nodes 
in the sensor network. 

In order to deploy a new regular sensor node 
u, the key setup server has to generate a unique 
identifier idu and a master key MKu which is 
computed using the special key SK and the iden- 
tifier idu as MKu = PRFsK{idu) and loads these 
informations to its memory. 

In order to deploy a new auxiliary sensor node, 
say ASi, the key setup server assigns a unique 
identifier, say idASi- After that the setup server 
loads this identifier idASi and the previous spe- 
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cial key SK which is already with all the deployed 
auxiliary sensor nodes in the network. 

After deployment of such new nodes in the net- 
work, they establish pairwise keys using our direct 
key establishment phase and if required, using the 
supplemental key establishment phase. Thus, we 
see that dynamic node addition in our protocol is 
done efficiently. 

4. Analysis of Our Scheme 

In this section, we analyze the network con- 
nectivity of our scheme i.e., the probability of es- 
tablishing pairwise keys between neighbor nodes 
in the network. Wc then analyze the resilience 
against node capture. Finally, we discuss over- 
heads required in our scheme in order to establish 
pairwise keys between neighbor nodes. 

4.1. Network Connectivity 

For simplicity, we assume that nodes are evenly 
distributed in the target field. Let m be the num- 
ber of auxiliary sensor nodes and n the number 
of regular sensor nodes in the target field. Let d 
be the average number of neighbor nodes of each 
node. Let u and v two neighbor nodes. Wc as- 
sume that p denotes the overall probability that 
any two neighbor nodes u and v can establish 
a pairwise key between them in the direct key 
establishment phase and pi the probability of 
establishing pairwise keys between two neighbor 
sensor nodes u and v using one hop auxiliary 
sensor node from v in the supplemental key es- 
tablishment phase. 

In order to establish a pairwise key between two 
neighbor regular sensor nodes u and v, if u ini- 
tiates a request to establish a pairwise key with 
V, V is required to communicate with an auxil- 
iary sensor node in its communication range. The 
probability that an auxiliary node ASi is not in 
the neighborhood of the regular sensor node v 
can be estimated by 1— —7—. Since there are 

^ m-\-n 

m auxiliary nodes in the network, the probabil- 
ity that the regular sensor node v fails to discover 
any auxiliary node ASi in its neighborhood can be 

estimated by . As a result, the prob- 

ability of establishing a pairwise key between two 



neighbor regular sensor nodes u and v is given by 

d 



P' = l- 1- 



m + n 



(1) 



Since there are n regular sensor nodes and m 
auxiliary sensor nodes in the network, the total 

direct communication links is ^'=^ — — (™+")'^ ^ 
since there arc d. average number of neighbor 
nodes for each node. We note from our direct key 
establishment phase that each auxiliary node can 
establish a secret key with its neighbor regular 
sensor nodes. Since there are m auxiliary nodes 
in the network, secure communication links due 
to key establishment between auxiliary nodes and 
their neighbor regular sensor nodes becomes 
Again, we have another ^ x secure links in the 
network due to key establishment between regu- 
lar sensor nodes with the help of auxiliary nodes. 
As a result, we obtain -|- ^ x j?') secure Unks 
out of total ("'+")'^ links. Hence, the required 
overall network connectivity is given by 



p 



■ I nd I 
2 ^ 2 ^ >^ 

{m+n)d 
2 



m 



n X p 



n 



(2) 



Figure 1 shows the relationship between the 
probability p of establishing keys between neigh- 
bor nodes versus the fraction of auxiliary sensor 
nodes ^. From this figure, we observe that p in- 
creases faster as d increases. Moreover, for a small 
fraction of auxiliary sensor nodes ^ , our scheme 
also guarantees a high probability of establishing 
keys between neighbor sensor nodes. 

From the supplemental key establishment 
phase, we notice that if a sensor node v can not 
discover any auxiliary sensor node in its neigh- 
borhood, it will discover an auxiliary sensor node 
within /i-hop range from it. Once an auxiliary 
sensor node is discovered, v can establish a pair- 
wise key with its neighbor node u. We now con- 
sider the case h = 1. The probability that none of 
the neighbors of v can discover an auxiliary sen- 
sor node can be estimated by 
As a result, we have, 

Pi=P+{l-p) X I 1- (1- 



1 



771 + n 



■ (3) 
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Figure 1. Direct network connectivity p of our 
scheme vs. the fraction of auxihary sensor nodes 
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Figure 2. Network connectivity pi vs. the frac- 
tion of auxiliary sensor nodes ^ during one- 
hop supplemental key establishment phase of our 
scheme. 



Figure 2 illustrates the relationship between the 
probability pi of establishing pairwise keys be- 
tween neighbor nodes versus the fraction of aux- 
iliary sensor nodes ^ . We note that once a regu- 
lar sensor node discovers an auxiliary sensor node 
within one-hop neighbors of it, the probability 
of establishing pairwise keys between neighbor 
nodes becomes very high. As a result, we observe 
that one needs not to apply more than one-hop 
supplemental key establishment phase after the 
direct key establishment phase. 



4.2. Resilience against Node Capture 

The resilience against node capture attack of 
a scheme is measured by estimating the fraction 
of total secure communications that are compro- 
mised by a capture of c nodes not including the 
communication in which the compromised nodes 
are directly involved. In other words, we want to 
find out the effect of c sensor nodes being compro- 
mised on the rest of the network. For example, 
for any two non-compromised sensor nodes u and 
V, we have to find out what is the probability that 
the adversary can decrypt the secret communica- 
tions between u and v when c sensor nodes are 
already compromised ? 

From our key pre-distribution phase described 
in subsection 3.4.1, we see that each auxiliary sen- 
sor node is given the special key SK . This special 
key SK is secure, because all the auxiliary sensor 
nodes are equipped with tamper resistant hard- 
ware. As a result, based on the security of the 
FRF function jlTj, it is computationally infeasi- 
ble to recover the special key SK from the master 
key MKu = PRFsK{idu) of a compromised reg- 
ular sensor node u. We also notice from our direct 
key establishment phase as well as supplemental 
key establishment phase that each pairwise key 
between nodes are generated randomly. Thus, no 
matter how many nodes are captured, an attacker 
knows nothing about the secret communications 
between non-compromised nodes. In other words, 
no matter how many nodes are captured, non- 
compromised nodes can still communicate with 
100% secrecy. In this way, our scheme guaran- 
tees unconditional security against node captures 
attack. 
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4.3. Overheads 

Our scheme only requires a single master key 
MK^ to be stored in each regular sensor node u 
and the special key SK in each auxiliary sensor 
node ASi. 

Our scheme involves small computation over- 
heads. A regular sensor node has to perform one 
MAC operation and one symmetric key decryp- 
tion. 

We note from our direct key establishment 
phase that the communication is in one-hop range 
only. Though multi-hop communication will in- 
troduce some communication overheads, we see 
from our analysis that the supplemental key es- 
tablishment can be done using only one-hop pro- 
cedure. Moreover, such phase needs not to be in- 
volved frequently, since direct key establishment 
phase will ensure high network connectivity. 



auxiliary sensor node is to be deployed randomly 
in that cell. 

In our simulation, we only consider the direct 
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5. Simulation Results 

In this section, we describe the simulation re- 
sults of network connectivity of our scheme. 

We have implemented our proposed scheme for 
static networks as well as mobile networks. We 
have considered the following parameters for sim- 
ulation of network connectivity of our scheme as 
follows: 

• The number of regular sensor nodes in the 
network is n = 5000. 

• The number of auxiliary sensor nodes is 
m < 500. 

• The average number of neighbor nodes for 
each node is d — 80. 

• The communication range of each sensor 
node is p = 30 meters. 

• The area A of the target field is taken so 
that the maximum network size becomes 

_ {d+l)xA 

We assume that the target field is a flat region. 
The regular sensor nodes are randomly deployed 
in the target field. For deployment of auxiliary 
sensor nodes, we logically divide the target field 
into c X c cells, where c = 1 • Fo^' each cell, an 



Figure 3. Simulation vs. analytical results of di- 
rect network connectivity p of our scheme, with 
n — 5000, m < 500 and d — 80, under static 
network. 



key establishment phase in which if a regular sen- 
sor node u wants to establish a pairwise key with 
its neighbor regular sensor node v, node v will 
send a request to an auxiliary sensor node within 
its neighborhood. Once such an auxiliary sensor 
node is discovered by v, nodes u and v establish 
a pairwise key between them. 

The simulation results versus the analytical 
results of direct network connectivity p of our 
scheme are plotted in Figure 3. In this figure, 
we assume that all the nodes are static. From 
this figure we observe that our simulation results 
closely tally with the analytical results. 

We have also simulated the direct network con- 
nectivity p of our scheme under mobile environ- 
ment. We assume that after deployment the aux- 
iliary sensor nodes remain static, whereas the reg- 
ular sensor nodes will be highly mobile. We have 
considered that any regular sensor node can move 
from its current location in the target field within 
the range of twice its communication range. The 
simulation results for mobile regular nodes are 
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Figure 4. Simulation results of direct network 
connectivity p of our scheme for mobile regular 
sensor nodes under different situations, with n — 
5000, TO < 500 and d = 80. 



shown in Figure 4. From this figure, we see that 
our scheme is much suitable for highly mobile sen- 
sor networks, because no matter how many how 
many regular sensor nodes are mobile in the net- 
work, the overall network connectivity does not 
degrade. 

6. Comparison with Previous Schemes 

In this section, we compare the performances 
of our proposed method with those for the previ- 
ous schemes, namely, the EG scheme |3, the q- 
composite scheme [3], the polynomial-pool based 
scheme jll] and the Dong and Liu's scheme [6 . 
The reason for considering those schemes is that 
there is no restriction in applying those schemes 
on mobile sensor networks. 

Figure 5 shows the relationship between 
the fraction of compromised links between non- 
compromised nodes versus the number of nodes 
capture. For the EG scheme [3], the q- 
composite scheme [3] and the polynomial-pool 
based scheme [14], we assume that each node 
has available storage of holding 200 cryptographic 
keys in its memory. The network connectivity 
probability p is taken as p — 0.33 with suitable 
values of the parameters for the different schemes. 



Figure 5. Comparison of resilience against node 
captures between different schemes. Pe(c) de- 
notes the fraction of compromised links between 
non-compromised sensor nodes after capturing c 
sensor nodes in the network and p denotes the 
probability of establishing pairwise keys between 
neighbor sensor nodes. 



We clearly see that our scheme provides signifi- 
cantly much better security against node captures 
than the EG scheme, the g-composite scheme and 
the polynomial-pool based scheme. Moreover our 
scheme has better security than the Dong and 
Liu's scheme. 

In our proposed scheme, only a single master 
key is stored in each regular sensor node and also 
a single special key SK is stored in each auxiliary 
node to achieve high performance. Thus, no mat- 
ter how many sensor nodes are in the network, our 
scheme requires only to store a single key, which 
is extremely memory efficient for the large-scale 
wireless sensor networks. In the Dong and Liu's 
scheme, though each regular sensor node needs to 
store a single key, but each assisting node needs to 
store all the hash images of keys of regular sensor 
nodes. On the other hands, the EG scheme, the q- 
composite scheme and the polynomial-pool based 
scheme require considerable storage requirements 
for achieving high network performances. 

The existing schemes (the EG scheme, the q- 
composite scheme and the polynomial-pool based 
scheme) require considerable communication as 
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well as computational overheads in order to es- 
tablish pairwise keys between neighbor nodes. In 
these schemes, the path key establishment proce- 
dure is a complicated one and requires a lot of 
communication and computational overheads. In 
our scheme as well as Dong and Liu's scheme, 
only a few number of symmetric key operations 
and PRF operations (in our scheme) or hash oper- 
ations (in Dong and Liu's scheme) are required in 
order to establish a pairwise key between neigh- 
bor nodes. Zhu et al. [1^ pointed out that due 
to the computational efficiency of PRF function, 
the computational overhead of PRF function is 
negligible. As a result, the actual computational 
overhead is low in our scheme compared to that 
for the Dong and Liu's scheme. 

7. Conclusion 

We have proposed a new key pre-distribution 
scheme suitable for highly mobile sensor nodes 
with the help of additional auxiliary sensor nodes. 
Our scheme provides very high network connec- 
tivity than the previous schemes. Our scheme 
always guarantees unconditional security against 
node capture attack. It supports dynamic node 
addition efficiently compared to the previous 
schemes. Overall, our scheme has better trade- 
off among network connectivity, security, storage, 
communication and computation overheads com- 
pared to those for the previous schemes. In addi- 
tion, our scheme also works for any deployment 
topology. 
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